Constable HaX0r loose in the UK? Well, yes and no

ZOMG, did you hear about how British cops are elite haxx0rz in ur base killing …

You can imagine a boot stamping on a human face forever, if that's your thing. But despite a spate of overheated headlines flowing out of the United Kingdom this weekend, you probably don't need to imagine it just yet. The impression created by the flurry of press reports is that police there have suddenly acquired new powers to hack private computers without a warrant. In point of fact, precisely nothing in British law has changed.

Here's the actual story. A little over a month ago, the European Union's Council of Ministers put out a release—reported in the British press at the time—announcing the adoption of a common strategy to fight cybercrime and online child pornography. The strategy itself does not appear to be available online, and none of this weekend's reports cite the full document. According to the summary, however, law enforcement agencies are "encouraged" to share information about border-crossing crime and "resort to remote searches," meaning surveillance involving (among other things) monitoring at a distance of suspects' computers by such means as keystroke loggers. Some €300,000 will be earmarked for Europol to implement the strategy.

As the Home Office notes, however, "the decision in the Council Conclusions are not legally binding and there are no agreed timescales," and the details remain to be worked out. The statutory limits on such surveillance remain in place. There is no reason to believe that, as the Times of London suggests, police "could break into a suspect's home or office" to install spyware without following all the procedures that apply to any other physical search.

In the United States, the Supreme Court has long held that "the Fourth Amendment protects people, not places," so that the "reasonable expectation of privacy," rather than the particular means by which information is acquired, triggers the warrant requirement. British law, by contrast, treats "physical interference" searches somewhat differently from "intrusive surveillance," the category into which electronic spying that didn't involve property intrusion might fall. Under Britain's Regulation of Investigatory Powers Act of 2000, a high-ranking law enforcement official, such as a police chief, can authorize "intrusive surveillance" in order to prevent or detect a serious crime. These authorizations are subject to review by the Office of Surveillance Commissoners, and in the absence of an emergency, a commissioner must sign off on an application before surveillance can begin.

RIPA has its share of critics, of course, and not without reason: some nosy city councils have abused RIPA surveillance powers to combat trivial offences. But if the statute provides insufficient oversight, then it does so quite independently of the recent cybercrime strategy. So the news, such as it is, consists of a month-old press release announcement that may or may not hint at more frequent future use of surveillance powers British police have had for years.

Sometimes, doubtless, "hacking" will prove the most effective means of conducting a search: In the US, the FBI recently used a piece of spyware known as CIPAV, or Computer and Internet Protocol Address Verifier, to bust a bomb-threat suspect, apparently installing it on the target's computer via his MySpace account.

But as Peter Sommer, a cybercrime expert at the London School of Economics, explained to the BBC, it typically won't be. If spyware is installed by physical intrusion, it's subject to the same standards as any other physical search; if done wholly remotely, the oversight rules remain the same as for any other sort of "intrusive surveillance," and may well implicate the requirements for communications interception as well. The intrusion may well be detected by antivirus software, and downloaded data is likely to be much easier to challenge in court than files seen to be copied directly from a suspect's physical drive.

It will be worth keeping a close eye on the EU cybercrime strategy as it develops. But the hyperventilating headlines about a new license to hack are largely the product of an entirely different sort of hackery.